This is one feature I was waiting for long time. In previous models of controllers ( such as 5508,2504, WiSM2) with software code 7.4 onwards you can have some sort of visibility via AVC (Application Visibility & Control) & export netflow data to a collector. But you have to have particular Netflow Collector (Plixer or Cisco Prime Assurance) in order to view these exported netflow information as flow format is not exactly v9.0 compatible.
With new 3850, it is standard netflow v9.0 & nothing different in wireless traffic (since traffic terminated at the switch itself). In this post we will see how to configure netflow for a WLAN created on 3850. Here is the basic topology for the post.
I have defined a SSID called “3850” with open authentication for simplicity. Here is the WLAN configuration looks like.
wlan 3850 17 3850 no broadcast-ssid client vlan WLN-STF-1 ip dhcp server x.x.26.100 radio dot11a no security wpa no security wpa akm dot1x no security wpa wpa2 no security wpa wpa2 ciphers aes no shutdown
If you want to monitor the traffic to/from this WLAN you need to configure a flow monitor & apply that either inbound or outbound direction. In Flexible NetFlow you have this advantage where you can apply different flow monitors to the same interface depend on what flow information you want to monitor. In Traditional NetFlow(TNF) you have to collect all supported parameters and it cannot be customized. Flow monitor consist of flow record (only 1 allow) & flow exporters (multiple exporter allow). Here is the summary of config steps.
3850-1(config)#flow record WLAN 3850-1(config-flow-record)#match ? datalink Datalink (layer2) fields flow Flow identifying fields interface Interface fields ipv4 IPv4 fields ipv6 IPv6 fields transport Transport layer fields 3850-1(config-flow-record)#match ipv4 ? destination IPv4 destination address based fields protocol IPv4 protocol source IPv4 source address based fields tos IPv4 type of service ttl IPv4 TTL version IP version from IPv4 header 3850-1(config-flow-record)#collect ? counter Counter fields interface Interface fields timestamp Timestamp fields transport Transport layer fields 3850-1(config-flow-record)#collect cou 3850-1(config-flow-record)#collect counter ? bytes Total number of bytes packets Total number of packets 3850-1(config-flow-record)#collect counter by 3850-1(config-flow-record)#collect counter bytes ? layer2 Total number of layer 2 bytes long Total number of bytes (64 bit counter) flow record WLAN match ipv4 version match ipv4 tos match ipv4 ttl match ipv4 protocol match ipv4 source address match ipv4 destination address collect counter bytes long collect counter packets long
Here is my flow exporter named “FLK-1” configuration. I have used Fluke Netflow Tracker as collector.
3850-1(config)#flow exporter FLK-1 3850-1(config-flow-exporter)#? default Set a command to its defaults description Provide a description for this Flow Exporter destination Export destination configuration dscp Optional DSCP exit Exit from Flow Exporter configuration mode export-protocol Export protocol version no Negate a command or set its defaults option Select an option for exporting source Originating interface template Flow Exporter template configuration transport Transport protocol ttl Optional TTL or hop limit flow exporter FLK-1 destination x.x.8.216 source Vlan999 transport udp 9995
Then you can define the flow monitor & assign flow record & flow exporter onto it. In my case I have defined two different flow monitors called V4-IN & V4-OUT, but still use the same record & exporter for simplicity. But you can use different record in different monitor (single record per monitor) & multiple exporter if you have more than 1 netflow collectors.
3850-1(config)#flow monitor V4-IN 3850-1(config-flow-monitor)#? cache Configure Flow Cache parameters default Set a command to its defaults description Provide a description for this Flow Monitor exit Exit from Flow Monitor configuration mode exporter Add an Exporter to use to export records no Negate a command or set its defaults record Specify Flow Record to use to define Cache flow monitor V4-IN exporter FLK-1 record WLAN ! flow monitor V4-OUT exporter FLK-1 record WLAN
Now you can apply this to the WLAN you configured earlier.
3850-1(config)#wlan 3850 3850-1(config-wlan)#ip flow monitor V4-IN input 3850-1(config-wlan)#ip flow monitor V4-OUT output
Now it is time to see what’s coming in & going out in this WLAN. I am playing some youtube video on iPhone5 & tablet device while making a call between 7925G & 7965 Phones. Here is the traffic coming from these wireless devices.
Now if you trying to look at applications (or protocol) you would see something like this. But why all categorize as TCP or UDP port 0. This is because when we defined the flow record we did not include to collect these information.
flow record WLAN +match transport source-port +match transport destination-port
Now let’s monitor the traffic & see whether it get captured. It’s all come with Application name/port numbers since we capturing that infromation.
3850-1(config)#interface vlan 1420 3850-1(config-if)#ip flow monitor V4-IN ? input Apply Flow Monitor on input traffic output Apply Flow Monitor on output traffic sampler Optional Sampler to apply to this Flow Monitor 3850-1(config-if)#ip flow monitor V4-IN input % Flow Monitor: Flow Monitor 'V4-IN' flexible netflow not supported on vlan interfaces
If you want to apply this for L3 interface it has to be proper L3 physical interface. Anyway if your 3850 acting as proper L3 switch then you shoud have routed port from that switch to your core & you can apply flow monitor on that routed port. In my case we are having layer 2 access model & as long as we can monitor WLAN traffic at that level we are fine with that.